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Abstract 

The correctness of safety-critical embedded software is crucial, whereas non-functional proper- 
ties like deadlock-freedom and real-time constraints are particularly important. The real-time calcu- 
lus Timed CSP is capable of expressing such properties and can therefore be used to verify embedded 
software. In this paper, we present our formalization of Timed CSP in the Isabelle/HOL theorem 
prover, which we have formulated as an operational coalgebraic semantics together with bisimula- 
tion equivalences and coalgebraic invariants. Furthermore, we apply these techniques in an abstract 
specification with real-time constraints, which is the basis for current work in which we verify the 
components of a simple real-time operating system deployed on a satellite. 


1 Introduction 

The correctness of software in embedded safety-critical real-time systems is essential for their correct 
functioning. Failures in the software used in these areas may cause high material costs or even the loss 
of human lives. We address the problem of developing methods to increase confidence in these systems. 
We are looking for mathematical models needed to develop and reason about formal specifications of 
such systems, and at the same time we want to ensure that the reasoning process itself is correct. 

The context of our work is the VATES 1 project [GHJ07], which is funded by the German Research 
Foundation (DFG). Our objective is the formal verification of embedded software systems, from an 
abstract specification to an intermediate representation (as used in compilers) and, finally, to machine 
code. The real-time operating system BOSS [MRH05], employed among others in a space satellite, is 
used as a case study to evaluate our techniques. 

In our approach, we use the process calculus Timed CSP [Sch99] as the mathematical basis for for- 
mal proofs. Timed CSP is a formal modeling language that allows for the convenient specification and 
verification of reactive, concurrent real-time systems. We formalize our specifications and correctness 
proofs in a theorem prover, in which proofs are mechanized and (at least partly) automated. Unlike 
testing or simulating specifications, theorem proving allows us to gain absolute assurance of correct 
system behavior. In this paper, we propose a formalization of Timed CSP in the Isabelle/HOF theo- 
rem prover [NPW02] to combine both advantages, namely specifying real-time systems concisely and 
mechanizing correctness proofs for properties of their specifications. 

The rest of this paper is organized as follows: In Section 2, we give some background information 
about Timed CSP, Bisimulations, Invariants and the Isabelle/HOF theorem prover. In Section 3, we 
present our formalization of the operational semantics of Timed CSP and the coalgebraic notions of 
bisimulations and invariants. In Section 4, we present an application of the formalization to verify a 
simple model of a satellite system. Related work is discussed in Section 5. Finally, in Section 6, we 
conclude and discuss ideas for future work. 

2 Background 

In this section, we give a brief overview of the background of our work. First, we summarize the essence 
of the real-time process calculus Timed CSP by introducing its operational semantics such that Timed 
CSP may be seen as a timed labeled transition system. Then, we proceed by introducing the well-known 
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Figure 1 : Syntax of Timed CSP 
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Figure 2: Part of the Operational Semantics of Timed CSP 


notions of bisimulations [Mil89, JR97] and coalgebraic invariants [Jac97] for arbitrary labeled transition 
systems. We close this section with a short introduction to the Isabelle/HOL theorem prover which we 
have chosen for our formalization in Section 3. 

2.1 Timed CSP 

As the starting point in the development chain of the VATES project, we chose the real-time process 
calculus Timed CSP [Sch99], which extends CSP (Communicating Sequential Processes) [FIoa85] with 
timed process terms as well as timed semantics. Beside the specification and verification of reactive and 
concurrent systems, this also allows the verification of timelines. Due to not having enough space for 
presenting all details of (Timed) CSP, we refer to [Sch99] for a comprehensive introduction. 

Let £ be a (communication) alphabet and V a set of process variables. Furthermore, let a, d, A and 
X be variables with a € £, d ei + ,Aa and X € V. Then the Timed CSP processes are given by the 
grammar in Figure 1 . 

d 

Timed CSP extends the CSP calculus with the timed primitives P > Q ( Timeout ) and PA^Q (Timed 
Interrupt ). Intuitively, the meaning of Timeout is that the process P may be triggered by some event 
within d time units. When the time expires, the process Q of the Timeout construction handles this 
situation. The Timed Interrupt construction basically means the same, except that P may (successfully) 
terminate in d time units, otherwise Q is started. Owing to space limitations, we concentrate on the most 
interesting semantic rules, which are given in Figure 2. For a complete semantics, see [Sch99] . 

The transitions of Timed CSP processes consist of instantaneous event transitions (— ^->) and timed 
transitions (-^>). The event transitions are best understood as communication with some environment. 
This means in particular that an event is only communicated if the environment requests it. This inter- 
pretation is enforced by the semantic rules of timed steps since there is no process construction forcing a 
visible event (all except z) to happen; in other words, time can advance if and only if no internal transition 
can occur. 

In contrast to [Sch99], we model recursion by using the process variables X € V. This means, for 
example, that the recursive process P = a — > P is modeled by a process variable P x , which is assigned 
to the (nonrecursive) process a Px with the assignment asg :V=>T CSP ( T CSP denotes the set of all 
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Timed CSP processes). To define the semantics formally, it is therefore necessary to parameterize the 
rules of the operational semantics with such an assignment. The corresponding rule for process variables 
says that they are unfolded by an (invisible) internal event. 

In this paper, the basic idea is to interpret Timed CSP as a timed labeled transtion system, in which 
the states are given by the Timed CSP processes and the transition relation is given by event and timed 
steps. This enables the application of bisimulations and invariants, explained in the following section. 

2.2 Bisimulations and Invariants 

A labeled transition system over an alphabet A is a tuple LTS — (5,7’), where 5 is a set of states and 
T C (5 x A x 5) is the labeled transition relation. Instead of ( P. a . P ' ) G T, we also write P P' . In 
addition, there is often a special event T € A, which is interpreted as internal event. 

A timed labeled transition system over an alphabet A is a triple T LTS — (5, T. D), where 5 is a set of 
states, D is a time domain (which is closed under some addition) and T C 5 x (A U D) x 5 is the timed 
transition relation. We assume A and D to be disjoint. Note that every timed labeled transition system can 
also be interpreted as a “simple” labeled transition system by joining the alphabet with the time domain. 

Labeled transition systems are part of a more general theory, namely the theory of coalgebras [JR97]. 
Bisimulation turns out to be a strong and convenient proof principle for showing the equivalence of 
processes (states of the coalgebra). In addition, invariants [Jac97] allow the verification of liveness 
properties, as we show in Section 3.4. We introduce these notions for labeled transition systems in the 
following sections. 

2.2.1 Strong Bisimulation 

A relation R C 5 x 5 is called bisimulation on a labeled transition system LTS — (S. T) over A if the 
following property holds: For all (P. Q) G R and a G A: 

(i) II P P', then there is a Q' with Q-^Q' and (P',Q') G R. 

(ii) If Q Q ' , then there is a P' with P P' and ( P' . Q' ) G R. 

2.2.2 Weak Bisimulation 

Let LTS — (5, T) be a labeled transition system over A and t G A a special event, which is assumed to be 
internal or not visible to the environment. We define a relation ^ T *C 5 x A x 5 as follows 2 : 

(i) If P P', then P -U T * P' . 

(ii) If P -5/ P, , P 1 P 2 and P 2 P' (a ± t), then P P' . 

A relation R C 5 x 5 is called weak bisimulation on a labeled transition system LTS — (5, T) over A 
if the following property holds: For all (P, Q) G R and a G A 

(i) If P —> P'. then there is a Q' with Q — Q' and (P'. Q') G R. 

(ii) If Q Q', then there is a P' with P P' and (P', Q’) G R. 

In contrast to strong bisimilations, every answering step may occur after and before arbitrarily many 
internal steps, which are assumed to be invisible to the environment. 

2.2.3 Weak Timed Bisimulation 

In the context of timed labeled transition systems TLTS — (5, P, D) over A, we define weak timed bisim- 
ulations [dFELN99]. First, we define a set allowing us to compress timed steps 5x (A IJ D) x 5 

2 — —> denotes the reflexive-transitive closure of the original transition system w.r.t. t, i.e, P — % P' 

n T T T T , 

means P — > • — > . . . — > • — > P . 
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with the help of —> 7 -* (defined over A LJ D): 

(i) If P ~—> T t P' and a E A, then P P' . 

(ii) If for all i E {0, . . . ,n} (for some arbitrary n E N): Pi T * Pi+ 1 with tj E D and £” =0 1/ — t, 
then Pq -U d , P n+1 . 

A relation R C S x S is called weak timed bisimulation on a timed labeled transition system TLTS — 
(5, T, D) over A if the following property holds: 

For all (P. Q) E R and /3 eAUD: 

(i) If P - — -> P' . then there is a Q' with Q Q' and (P' -Q' ) E R. 

(ii) If Q Q', then there is a P' with P P' and (P' . Q') E R. 

Here, a timed step may also be answered by many consecutive timed steps, where the summed duration 
is equal to the original time span. Furthermore, internal steps are allowed between these single timed 
steps. 

All these kinds of bisimulation allow us to identify semantically equivalent processes with respect 
to the operational transition semantics. They all have exactly the same structure, i.e., for two equivalent 
processes P and Q, every simple step of process P must be answered by a “complex” step of Q and vice 
versa. The various complex steps are used for hiding details of single steps. In contrast to simulations, 
not too much information is lost because of the symmetry property of bisinrulations. 

2.2.4 Invariants 

To reason about the states of a transition system, invariants can be used to identify invariant behavior. 
Let LTS = (S. T) over A be a labeled transition system. A predicate / C .S' is called an invariant if the 
following property holds: For all P E I, Q E S and a eA: 

If P E I and P -Pa Q, then Q E I 

This means that invariants are closed under the transition steps of the transition system. Greatest in- 
variants are of particular interest. Let P C S be an arbitrary predicate on the state space of a labeled 
transition system. Then there exists a greatest invariant P, P CP. Intuitively, P is reduced until it fulfills 
the property of an invariant. In the extreme case, P is the empty set, which is also an invariant. 

2.3 Isabelle 

Isabelle is a generic interactive proof assistant. It enables the formalization of mathematical mod- 
els and provides tools for proving theorems about them. A particular instantiation of Isabelle is Is- 
abelle/HOL [NPW02], which is based on Higher Order Logic and comes with a very high expressive- 
ness of specifications. Unlike model checking, proving theorems in a theorem prover like Isabelle/HOL 
is highly interactive. Specifications have to be designed carefully to be able to prove properties about 
them. Theorem provers require a high level of expertise but allow reasoning about models whose state 
space is too large to be automatically checked by, say, a model checker. 

In our formalization, we benefit from the very well-developed formalizations of sets. More precisely, 
we make extensive use of inductively and coinductively defined sets, which come with induction and 
coinduction schemes, respectively. 

3 Formalization of Timed CSP 

In this section, we present our formalization of the operational semantics of Timed CSP. The syntax 
of Timed CSP is simply given by an inductive datatype ('v,' a) Process parameterized over an alphabet 
type 'a and a type representing the process variables V We omit its explicit definition here because it 
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is a straightforward realization of the grammar in Figure 1 . The operational semantics is given by two 
inductive sets defining the event and the timed steps. Furthermore, these sets are parameterized over 
a variable assignment asg :: 'v => ('v, 1 a) Process. This is necessary to give (even mutually) recursive 
processes a semantics (see Section 2.1). As mentioned in Section 2.2, the operational semantics defines 
a timed labeled transition system. This means that the operational semantics is defined as an instance of 
the type (' s,'a)lts — (' s x'ax ' s)set. On this basis, we define and examine bisimulations and invariants 
for Timed CSP in Sections 3.2 and 3.4. 

3.1 Operational Semantics 

In Timed CSP, there are four different kinds of steps: event steps, non-visible steps, terminating steps 
and timed steps. We encode these by the datatype 'a eventplus, where 'a is assumed to be the process 
alphabet. 

datatype 'a eventplus = ev 'a \ tau \ tick \ time real 

We define one single type for all kinds of steps because we want to join event steps (ev 'a, tau, tick) and 
timed steps ( time real) into one single transition relation. This is useful to be able to interpret Timed 
CSP as a timed labeled transition system (see 2.2). 

Furthermore, we abbreviate process variable assignments by the type procAsg. 
types (' v,'a)procAsg — 'v =>• (' v,' a)Process 

Now we are able to define the operational semantics by defining the event steps and the timed steps 
(see Figure 3). The semantics of process terms depends on such a particular variable assignment. The 
inductively defined set of rules is a straightforward encoding of the rules in Figure 2. 

The timed transitions are defined separately by a second inductively defined set. Note that the timed 
transitions depend on the formerly defined event transitions. Internal events are instantaneous in Timed 
CSP. This means that no time may advance when internal transitions are enabled. In the semantics of 
Sequential Composition and Hiding, it is thus necessary to allow time to advance only if internal transi- 


inductive set evstep:: (' n,'a)procAsg =>• ( Cn,'a)Process,'a eventplus)lts 
for asg :: (' n,' a)procAsg where 

| Timeout stepl : \(Ql,e,Q2) E evstep asg;e ==ev aV e — tick} 
==>• ((Ql > d P),e, Q2 ) e evstep asg 
| Timeout _step2: [(<27, tau, Q2) E evstep asg] 

==>• ((Ql \> d P),tau, (Q2 \> d P)) E evstep asg 
| Timeout _step3: ((Ql >° P), tau, P) E evstep asg 

inductivejset tstep:: (' n,'a)procAsg =>• (('n, l a)Process,'a eventplus)lts 
for asg :: ( , n,'a)procAsg where 

| Timeout jstep: [(Ql , time t,Q2) E tstep asg ; t <dl\ 

=*> ((Ql \> dl P) , time t, (Q2 \> dl ~’ P)) E tstep asg 


Figure 3: Event and Timed Steps 
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tions are not enabled (see [Sch99]). This is the case, for example, if the first process of the Sequential 
Composition can successfully terminate. 

Since we wish to interpret Timed CSP as a labeled transition system, we join event and timed steps. 

constdefs step :: ('v,' a)procAsg =A (('v, 'a)Process, 'a eventplus)lts 
step asg = tstep asg U evstep asg 

This is done in the definition of step, which comprises the whole transition system of Timed CSP. 

3.1.1 Properties of Steps 

With our Isabelle/HOL formalization of the operational semantics of Timed CSP, we can prove some of 
the standard properties [Sch99] . We explain some examples which are useful in the rest of this paper. 

Urgency of Internal Events: Although nothing can be guaranteed when an external event happens, it 
is important that internal steps have priority over timed steps. This property is captured by the lemma 
that internal steps and timed steps may not both be possible. 

Constancy of Offers: Timed steps do not change the set of offered (visible) events of a process, i.e., 
only events (internal as well as external) may change the offers of a process. 

Time Determinism: Timed steps do not introduce further nondeterminism. This means that every 
two timed steps of the same duration will reach the same target process. 

Time Additivity: Two consecutive timed steps may be summarized into one timed step (of the 
summed duration). The other direction holds as well. Every timed step may be divided into two consec- 
utive timed steps. 

3.1.2 Definition of “complex” transitions 

As explained in Section 2.2, the different kinds of bisimulation have the same structure in that some 
original transition must be answered adequately by a “complex” transition. It is straightforward to define 
the transition relations —> 7 -* and —>rr from Section 2.2 on the timed labeled transition system of Timed 
CSP. In the context of our formalization, we call them relWeak and relWeakt, respectively. Their type is 
('v,'a)procAsg =>• ((' v,'a)Process,'a eventplus)lts in both cases. 

We define timejnore :: ('v,'a)procAsg => (('v,'a)Process , realx'a eventplus)lts as another transition 
relation which we use for the definition of liveness invariants in Section 3.4. Here, transitions are la- 
beled by tuples indicating that some visible event may be communicated. 

By (P, (t,a). Q) € timejnore asg , we mean a sequence like: 

P > • - — >• >■ • ... > • ~ > • >■ • > Q . where Y,U=t. 

Based on these definitions, we define bisimulations for Timed CSP processes in Isabelle/HOL, as 
explained in the following section. 

3.2 Bisimulations 

We define bisimulations abstractly for arbitrary labeled transition systems such that we can instantiate 
these definitions (and hence get the properties) for concrete bisimulations for Timed CSP. We define the 
greatest bisimulation bisimilar Tl T2 using a coinductively defined set. 

coinductive_set bisimilar:: (' s,'a)lts =>• ( 's,'a)lts =>• (' s x r s)set 
for Tl :: (' s,'a)lts and T2 :: (' s,'a)lts where 

[ V tP2. ( Pl,t,P2 ) £ Tl — > (3 Q2. ( Ql,t,Q2 ) € T2A (. P2,Q2 ) € bisimilar Tl T2) ; 
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V t Q2. ( Ql,t , Q2) G 77 — > (3 P2. ( Pl,t,P2 ) € T2 A ( P2,Q2 ) G bisimilar T1 T2) ] 

=>• (77,(77) G bisimilar T1 T2 

The relations 77 and 72 are generalizations of the different kinds of complex transition relations 
mentioned in Section 2.2. The first transition relation (77) is meant to be the original labeled transition 
system for which bisimulations are to be defined. The relation 72 represents a complex transition relation 
that is used for answering steps in the original transition system. The benefit of defining the greatest 
bisimulation via a coinductive set is that the following coinduction proof scheme can easily be deduced. 

(P,Q)€X 

VtP2.(Pl,t,P2) G 71 — > (3(72.(01,7 02) G 72 A (72, Q2) G XU bisimilar 71 72) 
Vt02.(01,702) G 7 1 — > (372.(71,/\72) G 72 A (72, 02) GXU bisimilar 7 1 72) 

(7,Q) G bisimilar 71 72 

Instantiating X with a concrete bisimulation (not necessarily the greatest), the scheme can be used to 
prove the bisimilarity of two processes. It has to be shown that they can communicate the same events 
(or let the same time span pass) arriving at processes that are again in X or are already bisimilar. Using 
this scheme, it can easily be shown that bisimilar T1 T2 is indeed the greatest bisimulation (which is the 
union of all bisimulations). On this level of abstraction, we are able to prove that the greatest bisimulation 
is an equivalence relation. This is useful because these lemmas can be instantiated for the different kinds 
of bisimulations on Timed CSP processes. 

The different kinds of bisimulations for Timed CSP can be defined by instantiating 7 1 with step asg 
and 72 with step asg, relWeak asg or relWeakt asg. This leads to strong, weak and weak timed bisimula- 
tion, respectively. Thus, all these kinds are proved to be equivalence relations because this lemma holds 
for abstract bisimulations. 

3.3 Properties of Bisimilarity 

We have shown the important property that the three kinds of bisinrilarity are congruence relations, 
i.e. from the bisinrilarity of the parts of two processes it is possible to conclude the bisinrilarity of the 
composed processes. Note that for these results the properties explained in Section 3 . 1 . 1 are of paramount 
importance because, for example, “internaLurgency” is needed to show that Sequential Composition 
and Hiding do not destroy the congruence property. Together with algebraic laws, it is possible to do 

bisimulation proofs almost without considering concrete bisimulation relations. Algebraic laws are that 

dld2 dl dl+d2 

e.g. 77 > (72 > 73) is weak timed bisinrilar to (77 > 72) t> 73. Note that the algebraic laws based 
on weak timed bisinrilarity are not complete w.r.t. the algebraic laws in, for example, the denotational 
Timed Failures semantics of Timed CSP [Sch99] 3 . In Section 6 we discuss a solution for this problem. 

3.4 Invariants 

Invariants are able to express liveness conditions of processes. Their origin lies in the theory of coalge- 
bras, where they are predicates on the state space of a coalgebra with certain properties. Invariants are 
closed under transitions, i.e. if an arbitrary state fulfills the predicate (the invariant), all successor states 
fulfill it as well. Here, we are interested in invariants on the state space of Timed CSP, i.e., the set of all 
Timed CSP processes. Of special importance are greatest invariants. As explained in Section 2.2.4, for 


3 In the denotational semantics, the Internal Choice construction is associative, whereas it is not valid when considering weak 
timed bisimilarity. 
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every predicate there exists a greatest invariant contained in the predicate. In Isabelle, we again take a 
coinductive set to define the greatest invariant w.r.t. to a predicate of interest. 

coinductive set invariant:: (' v,'a)procAsg =>• (('v,'a)Process =$■ bool ) =>• (' v,'a)Process set 
for asg : ('v,' a)procAsg and Pred : ((' v,'a)Process =>• bool ) where 
\Pred <2; V e Ql. ( Q , e,Ql ) € step asg — > Q1 E invariant asg Pred\ 

=>• Q E invariant asg Pred 

To define a particularly useful class of liveness conditions, we focus on predicates to be defined by 
live Pred. A process fulfills such a predicate if there exists a step (P. (t ,a).P') in the sense of timejnore 
(see 3.1) to another process and the inscription fulfills a certain property IPred. Remember that the 
transition relation timejnore is defined as being labeled by tuples (t,a), where t represents the time and 
a is some event. The instantiation of the (greatest) invariant is given below. 

constdefs livePred:: (' v,'a)procAsg => {(real x 'a eventplus) =>• bool ) =>• ('v,'a)Process => bool 
livePred asg IPred P = 3 e Q. (P . e, Q ) E timejnore asg A IPred e 

constdefs livelnvariant:: (' v,'a)procAsg => ((real x 'a eventplus) =>• bool (' v,'a)Process set 
livelnvariant asg IPred = invariant asg (livePred asg IPred) 

The intent behind this special invariant is that some real-time process should always be able to react 
on an external event within a certain amount of time. This constraint can be embedded by defining the 
predicate IPred appropriately. 

All invariants of the above form have a useful property: They are closed under weak timed bisimi- 
larity. This is captured by the following theorem. 


lemma livelnvariant JSisim: fP E livelnvariant asg IPred ; 

(P, Q) E weak timed bisimilar a.rg] 
=> Q E livelnvariant asg IPred 


Q . 



Inv 


To show a (liveness) property on a possibly complex process, we can show the property on a simpler 
bisimilar process instead. We will use this technique for our case study in the next section. 


4 Application 

To show the applicability of our formalization, we prove properties of a (rather simple) abstract specifi- 
cation of a satellite system. This satellite runs two main tasks. One is responsible for recognizing fire 
sources on Earth and sending messages to the terrestrial station. The other is responsible for rotating the 
solar panel in case of changes in the angle to the sun. This second task is the more important one as it 
ensures the satellite’s survival by supplying it with energy. The behavior is realized by reacting on the 
danger , rotation, fire and warning event. 

In our specification (Figure 4), the first task is realized by process Tip and the second by subprocesses 
T2p and T3p. The Interrupt construction (A) gives a higher priority to the second task. This means that 
whenever a danger event is received, the first task is aborted to adjust the position of the angle. We 
assume that it takes one time unit to send a message to earth, whereas the adjustment takes five time 
units. We wish to show that it is always possible to recognize a fire after at most five time units. This 
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T ■= (77 = TlpA(T2p || T3p); 

{ rotation } 

77 ) \ {rotation , warning) 


Tip ‘.—fire — f warning — > SKIP 
T2p danger — > rotation — » .SW/P 

T3p rotation — > 5 SKIP 


Tn - (//><? -* 7 SKIPAdanger ~^ 5 SKIP); Tn 


Figure 4: Specification (T) and Abstract Specification (Tn) of a Simple Satellite 


means that no deadlock may occur and that no situation may occur in which it is not possible to react on 
fire within five time units. 

For this purpose, we first show that process T is weak timed bisimilar to the process Tn in Figure 4. 
Essentially, the equivalence proof of both processes can be performed by making use of the congruence 
property of weak timed bisimilarity. Together with simple algebraic laws, which can be proved abstractly, 
it is possible to prove them bisimilar without considering a concrete bisimulation relation. Since Tn has 
a simpler structure, the invariant is easier to prove than for the original process T. 

Despite being a rather simple example, it does clearly demonstrate our proof principle: we prove a 
“complex” process to be correct by abstracting from its irrelevant internals and verifying on the abstract 
level. We show the correctness of the “complex” process T by instantiating our liveness invariant ac- 
cordingly. Then we prove that process Tn fulfills this invariant such that we can use the lemma from the 
former section to deduce that T fulfills the invariant as well. We define the invariant as follows: 

constdefs /iVe pred ( real x event eventplus) =$■ bool 
fire_pred e = 3 1. e — ( t,evfire ) At < 5 

Then our correctness criterion is expressed as T € liveinvariant pas g f ire pred. The proof for this is quite 
straightforward if we expand the state space of this process. For every reachable process, it must hold that 
it is possible to reach the initial process Tn again within five time units. The state space for this process is 
infinite because the Timeout construction is involved. Fortunately, it can be compressed by considering 
something similar to region graphs in the context of timed automata. This means for example, that the set 
of processes {( WAITdAdanger ~^> 5 SKIP);Tn . 3d.d >0 Ad <7} can be considered as a whole because 
every process in this set can reach the process Tn in at most five time units. 

5 Related Work 

Related work on the formalization of CSP and Timed CSP in formal systems include the following: A 
denotational failures semantics of CSP formalized in Isabelle/HOL is presented in [TW97]. Recursive 
processes are represented by fixed points. Infinitely running processes are treated by considering arbitrar- 
ily long prefixes of their state transition sequences. The formalization is based on a shallow embedding. 
An extension of this work is described in [Int02]. In its current state, this work is incomplete. In addition, 
the chosen formalization decisions appear to have led to a rather clumsy specification that makes proofs 
unnecessarily complicated. A further formalization of CSP in Isabelle/HOL is described in [IR05]. This 
formalization is based on a denotational failures semantics and set up by a deep embedding. A different 
approach has been taken in [DHSZ06], where an operational semantics of Timed CSP has been set up in 
a Prolog-like style using a constraint-logic programming language. The transition rules of the operational 
semantics have been defined by rules and facts. Infinite traces are represented by allowing the unification 
process to run infinitely long, thus creating all traces. The time model only deals with discrete time. 

None of this work formalizes Timed CSP fully, in particular with continuous time, as we have done 
in our work presented in this paper. We have based our formalization on an operational semantics, not 
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on a denotational one, to fully exploit coalgebraic techniques and bisimulation in particular. 


6 Conclusion 

In this paper, we have presented a complete formalization of the operational semantics of the Timed CSP 
calculus. Our semantics models a transition system, which in turn allows us to employ coalgebraic proof 
techniques such as bisimulations and invariants. We have defined several forms of bisimulations (strong, 
weak and weak timed bisimulations) and have proved congruence properties about them. To simplify the 
use of bisimulations in formal proofs, we have shown that there exists an abstraction which is valid for all 
three kinds of bisimulation that can be used as a generalization in proofs. Moreover, we have shown that 
invariants can be used to verify liveness properties of processes. To simplify proofs involving invariants, 
we have shown that, under certain conditions, it suffices to verify invariants on simpler processes instead 
of on the original ones. As a sanity check of our formalization, we have formalized two simple tasks in 
a satellite system and have verified their liveness properties. 

In future work, we aim to extend our formalization of the semantics such that weaker equivalences 
between processes can also be captured. We thus seek to adapt the ideas presented in [dFELN99], where 
the operationally defined original transition system is transformed appropriately to obtain a weaker notion 
of equivalence. Furthermore, we are currently extending our case study of the satellite operating system 
with the long-term goal of fully verifying this software system. We have developed a specification for 
a real-time scheduler and further components, for which we are currently conducting the correctness 
proofs in Isabelle. 
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